On Tue, Jun 24, 2014 at 8:33 AM, Filipe Brandenburger
<filbranden(a)google.com> wrote:
On Tue, Jun 24, 2014 at 6:27 AM, Renich Bon Ciric
<renich(a)woralelandia.com> wrote:
> The reason they enable sudo and lock root is to keep better auditing
> options. But, hey, it's not like you're gonna create 20 keys in a
> single server for 20 admins to go in and do stuff.
Huh, it kind of is... If you create a project and add many users to
it, all of them will get accounts created by google-compute-daemon, so
in effect every user of the project will be able to login to every
compute instance. I currently work on a project with 5 users and all
of us can log in to all instances. If someone else comes along to the
project, we just add them and they get access to all instances
automatically.
My only problem with that is that it will create passwordless sudo for
all of them. I don't think you want 20 admins in a 20 user server. My
point is that, usually, one is admin and he delegates (through sudo,
perms and gorups, ACL, SELinux, etc).
> I can live with SSH keys injected to root. A root with it's
SSH
> allowing login without-password only. This would be convenient and no
> passwords involved.
I see value in keeping home directories for each user... For instance,
that means I don't *have* to be root all the time and I don't run the
risk of typing a mistaken command and hosing the box... It also means
I can customize my home with a .bashrc, .vimrc, .gitconfig without
worrying about my colleagues logging in to that box and being annoyed
by my settings taking over.
Oh, I agree with you! No need to be root all the time. I'd create
mortal user account as well; use root only for admin stuff. But, in
the current design, every account you create is root; If they use
sudo.
That's not so cool...
Also, if you're root, you can have ~/.vimrc and ~/.gitconfig without
them poluting your users' environment. ;)
--
It's hard to be free... but I love to struggle. Love isn't asked for;
it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric
http://www.woralelandia.com/
http://www.introbella.com/